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b. 

^■qRfcitwL*t^& s-c** i b *nmb-rzm3m 

[fs#JB3] mmuz-mi.. *mb'?hw*,<7)m%, 
^zmzTZz^zb zmmb-r&m&mi&tiiimx 

tdsbizmr^—fim^^zb znmb-t&m&m 

fflv^v^t**** i b zimb-i-zmmitzmm 

c»*«6] muz.— fffix-*mi,z&bti2>m-<?>& 
<rmizi$Lx&^-^cm®mzwmb Lxmmm 

m^—^^^msim—co^mm^m^x. mm 

b. < - 

ixt^jE-r & mi em-«o^^tc:w LX . 
bti em-is «t xfm—oyf * vfnm&n&frt&hWE. 

v7b tt-t&Z b ZW&b^h?* iS?)l>m%Jii£> 
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»«>wafl*3.-ir tzx om^mim^-r^z ± zimb 
•tzn^efrhrngmmmizfrizsmztitzTj 

sftX'&zt^frzmm-zzb zmLb-t&azme 
fr^mmm&mnMzm&zntiT^^ffim&ij 
a. ■ 

?>i~-7* »vzm\ ^ti.ri vtivmzx 

20 tt&b^&w&com%mzffl^&m*¥&?>a-}ib 
z^t&zb*ft®Lb-?h^>*:x.-r3imx*:V. 

nzft^tem&z&^ycom-co&fflmb-t&TJis 
fjmztt&m^Kffim&mi'X'rMzffl-t&ruf 

x. : - .■ .: . .. .•' ••• .'. ,,'-c.v 

^T--yrcon— Hk. 

mi^-cr>^xxm^-<r>^mm^m^x. mm 

-<0-f 4 ^^^W^cOiESttSrSitS-rSSSig^x-yro 
[0 00 1] 

50 t>J;t/-e^Srfflv^ffl?Klfi^X7 i A{cre-r-S. 
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100 0 2] [0 008] OS* 9. Bf^kp(*klpg$ftTVv£*;tf>, 

[fi!3fetf)f$fl5] 3>-t*-:?i5j:lXiIfI*-y hV-^O fttrf^kp. M) D(ks. E(k 

%Mkl%B%:&mzm\ &£&jim<7>Zo%:ffl&$;* P . M))£fH£LT¥:fcM£#&.r fc#T'#S?)ti. tm 

U fi#<. fiPS. TOT. #f fetrofc**; l>mmziEM 1 0 0 0 S> ] ±fE(l) (2>tCja^.T. <Ktf>^fr(4> 

-T -S .1 i: . **t(£»flW-*:fc*>. E^THJHfcfx tftii&t& ZbizJ:*) . IZfBifi ( =f < ~J? >vm4, ) ifi 

or^4/NVi>teS^&:^;i>'#;t£ftT^£. (4) COSMIC** U D(ks, .H>*«*"&ifc36»T 

[0003] &d»Mfe«9«fflv vMf . i*fl#<i « . itefcWfcfr*-* . 
a«rt*Sr«EW-*SCfflHWfJt«S9. L*'tfifl± 10 E(kp, 0(ks, M)) = M 

-?-io®^ilifi#* J Kir^>^*»Sr5iiitc5iig-rsc: t w [ 0 0 1 0 ] o*-o . D(ks. M)$-it»T-# 

f^t-£^^IIBJ5£f8ffl-?-*Uf. jl— T ft^lcs£iettLT^S#A>WT'fc9. ftA*«««>tt 

tf&£i6&1fftB&filftLTIri££2:£, -c^B^Sr";}^ ks'£fflVvCD(ks', M)£frffL. «8£eD«-5i-Sks£:ieii 

j*fc^4£fc*<«HMc|E!irc , S4. CftAfcJKBLfc" -f S^AKSrO-f a b LXi> . E(k P , D(ks', H»* 

ffi^Sflv-X-rAa*. Masahiro MAMBO. Eiji 0KAM0T0, MT'£>9. ^ft^(i§IXo;fc^a^jE&&<OT'*>&.r 

"A method to publicly specify a signer with hidin b fcj&*"C# •§> . 

g identity. The 18th Symposium on Information Theo [0 0 1 1 ] D(ks, tt)tf&3L$tlX t>. E(k P , 

ry and Its Applications" (October 1995)T-|Sg?£*l D(ks, M)') *tiX'$>K) . &m%te&Jfl->fzffi%xtrVFjE%: 

T^S. .IftSr. UTFt'Ji '"MOxX-rAj.toy^.rfcC i^T*fc££i:£*a.|>££:#T'# S. .I<7)D(ks, M)£rM . 

20 r^-Y^A-W^j fciqu;. 

[0004] JiTF. &tiHZ$:Mm$^t: . »:lc:«*D^IE [0012] ftaW^^gBaBirf-^^iaiTC^f . 

-rii^MO^XrA^i^Hat^Bfl-r^. Hf^ftifZIEifi^-C-l'-l.^itLT. RSABf^-(R. 

[00 0 5] C^^HBf^-] ^^i|Bi^-i:(S s Bf^-lli; L. Rivest, A. Shamir and L. Adleman: "A method of 

S^SSfca^&O. Bf*7&£#PIL. ffi^H2rl6^^ obtaining digital signatures and public key crypto 

&Bf^;fejre£>9. jaTO<fc?^r#®i$:i>0. systems". Comm. of ACM, 1978). RHf^-(M. Rabin: "Di 

{\)1&^r&b1a.^&bWW£^^^&&&ffl-?hZ.b gitalized signatures and public-key cryptosystem 
^T* OrM^fBfff£K^>i»4%-.<> : s "f MIT/LCS/TR-212. Technical Report MI H 1979) 1$ 

(KWzktf&WZ'hh. Bf^(H. C. Williams: "Ambdifi cation of the RSA pub 

(2)#fiJJH#li. HlfiH^t, S-g. fS^ttrtfttS: lie-key encryption procedure", IEEE Trans. Inf. Th 
ftV(cL£ttLT&ftUr 30 eory. IT-26. 6. 1980) 3: 

G)m.e,tix ^misxeomm^mmx^^z t . *> [ o o 1 3 ] mmmmtuf^x-^^^t lx . 

itf. Z<VMmjCtft$ti6LZtlX^%^Zb£. Sft*# CHaf^-(B. Chor and R. L. Rivest:"A knapsack type p 

m3>-?htz#><r)l2m.Wm. (x4 VfM&k) Sr^r^ ublic key cryptosystem based on arithmetic in fin 

itefield". Proc. Crypto 84). MBf^-(R. J. McEliece: 
[0006] MmX (¥:£) mztf LX . &BB<OBf-f|i8k "A public-key cryptosystem based on algebraic cod 

p£ffl^JtBWfc;J£f££E<kp. M)t L. ?^0ffi-^|ks ing theory". DSN Progress Rep., Jet PropulsionLa 

£ffl^£«^$f££rD(ks, M)fc-f&h. ^Mli^r^ b. , 1978). E^-(T. E. ElGamal: "A public key cryp 

=f UXAJS. £t t &^Z.O<0^fr£iS*:'$\ tosystem and a signature scheme based on discretre 

(1) V&H&ptf$-X.t>tltzb£E(kp, M)eOWtMlt&%X' logarithms", IEEE Transaction on Information Theo 
*>9. m^-Hks*^i.4.iTJtfc&D(ks, \\)<r>%\mtm^> 40 ry, Vol. IT-31, No. 4. pp. 469-472, 1985) & 

(2) t L«-^®ksSr»l<i>^U^4>. Bft^kp. S&ftM [0014] BiBlfi*tft0*r# LT. S«r^ 
m.<r>l\%^-^ Bf#f*)i>C=E(kp. H)S:»loJti: LT (A. Shamir: "A fast signature scheme". Report MIT/ 

J FXMSr^-rS«It(i. -e<OtfS[*A»^SIiT?> LCSAM-107, MIT laboratory for computer science. C 

6. ambridge. Mass.. 1978) . LBf-^-(K. Lieberherr: "Unif 

[00 07] ±I2(1)(2)KS0^T. ^Olfeft orm complexity and digitalsignature". Lecture Note 

(DWfc&t&ZtlZl: 0. ${$KIfia^JI'C'£-&. s in Computer Science 115 Automata. Language andPr 

OJ-^TOTlfcMlwttL. E(kp. M)$:fe&~thZ. bifiX' ogramming, Eigtht Colloquium Acre. Israel. 1981). 

V&VfifciL-th. GMYBf-f-(S. Goldwasser. S. Micali and A. Yao: "Stro 
D(ks, E(kp, M)) = M 50 ng signature schemes". ACM Symp. on Theory of Comp. 
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uting. 1983), GMRBf-5f(S. Goldwasser. S. Micali and 
R. L. Rivest: "A 'paradoxical' solution to the si 
gnature problem'', ACM Symp. on Foundation of Compu 
ter Science. 1984), EB|^-(T. E. ElGaraal: "A public 
key cryptosystem and a signature scheme based on 
discretre logarithms". IEEE Transaction on Inform 
tion Theory, Vol. IT-31, No.4. pp.469-472, 1985), 
osni-f-(|S|*. gffi: '"*JiS«B:'j:if<i/'^H« 
JjiSr, m^ffiiD), J68-D. 5, 1985; T. Okamoto and 
A. Shiraisi: "A fast signature scheme based on qua 
dratic inequalities", IEEE Symp. on Theory of Comp 
uting. 1984), 

[0 0 15] Fiat-ShanirBf#(A. Fiat. A. Shamir: "H 
ow to prove yourself: practicalsolutions of identi 
fication and signature problems", Proc. of CRYPTO' 
86.1987), SchnorrBJH§-(C. P. Schnorr: "Efficient si 
gnature generation by smart cards". Journal of Cry 
Ptology, vol.4, pp. 161-174. 1991 )&•£'#£>£. 

[0016] mwrn^mt lt, tmmt&Jiz#>s>z 

&&SchnorrB§*|-£gfcB8-$-s. Jar*>8Mllc*iv> ' ' 
T, a"b(ia<7)b^S:*-r. 

[0017] mitt. *z*mm>t. qip-i (qtip-i*- 

S»JD«M>) {1. 2. -, q- 

ll^-0^a{:tSt v a A x=u (mod p)£S!rtrfx 
(=DL(u, a)i;ie-r) 12, #oTftoF(p)±fc:i3j*Sfi|ifc 

mcv&Oi p. q. «, uttx. btitil'cxi&immz 

^ t im L n t Ztix v* h 

[0018] SchnorrBf-tT'li, St^aE-tV? (KAC: Key 
Authentication Center) tfi/Z.T-kCOlJffltt, Srff 0 . 

<v^EEffigBIScTS>&. oiO, eSO^$<7>ffl5:A^L 

{iOKLhq*St<^^S^-Cfc 2» . 
[0019] *is*TA$mit 

(DSifglE-fcy*(KAC)i3;, ^#^ifcp(^r512)fcq(S 
2*14(»MK«»IW-*. fcftfU.-q.'p-lT**. 

(2) KAC{i, aeZpj&voeTq = 1 (mod p)&6 a (=*=1)£ 

(3) KAC(i, h: ZqXZ — {0, — , 2*t - .1} ZMlf&mt 
h. ZZX\ t£ fcOfUc. 

(4) KAC«. g#cOg£fficD&^fc«B&&£j!!tf, &0H 
SSr^-rS (#Ji.tf, Fiat-ShamirBf^^rt') . 

[0020] •St^fig 

^7 i A(ClQA^-&^--1f (&&#) li, 0 < s£q&£ 
ffiSiOSffcsSrStA, v= a~{s) mod pSrftg-f § 



(4) ^Sf 9-298537 

6 

^<OlB?eS|{isT*0, -^gaStivT^S. |g|iE#{i, - 
ttLXVACtf (mtiL Fiat-ShamirBf^-T) 

[002.1] ( * •/•fe->?mfe:jkfr-S,S« ) 

<1)S=&#<±, SUKreU. q>£§tf, x = a~r (mo 

<J p)Srtt^[-rs. 

<2)g£#{i, e = h(x. m) . 
10 (3)g£#li, y = r + s-e (mod q)2rftg-f 6. (e. y) 

[ 0 0 2 2 ] «*«ttGE 

^•»-fe-^»t**(e. y)«:38R-»fcB«#fcL flili&eD 
^rvtf>7JE3tt£WKU <^^igfg-rs„ 
x' = a~y.v~e (mod p) 
e = h(x'. m) 

[0023] [^tt^iiEHj] ^tmmmut. hztsm 

0*<ifiv^W'(£EHftWW) • 
(3)*jaflKtt: «P»WE I Itfill iffim»\Z0> J: -3 1= 

v*.- ■ • • - • '.' ' ; 

[00 24] $>zim (&m -tfax^sw&svji:.. 

[0025] ft^^r— Mi: LT , J. Boyar. D. Chau 
m, I. Damard, T. Pedersen,' "Convertible undeniable ' 

signatures". Proc. of CRYPTO' 9MZi>\,iX1&MZtl 
tz. z =DL(u. atefaX^bW&mifi* z*tyt>iMZ 
-r^ifc5r<DL(v,w) = DL(u.a)fr|EB#?&*ft||RE- 
B^raha^fttHJ-f-S. fc*fL, DL(u ; a)im%% 

40 C0*§£\ «"{DL(u, a)J =(mod p) ) . 

[002 6] •DL(v, w) = DL(u, a) SraEBJ-T^^IiS 

&TX'li. tP^^P(Prover) , ^U*$-V(Verifier) t 
tit. PiVfcv, w, u.orfcfcloTlvS. 
(D«liI#V(i, SUaatbSraiWa. beZq), ch - Va-. 

chSraEHa^PKiHS. 
<2)BEB3#P{i, SUatfrSltX(tGZq), hi = ch.a~tih2 
= hrz$-^y>, (hi, h2)^«ISE#VtiMS. 

(3)fcn*v{i, (a. byzmmmnzmz. 

50 (4)SEB3#Pii, ch = w"a.aT)S-5|f2L, t^«|IiE#Vtc 
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(5)l$IiE#V(i. hi = w~a-er{b+t} thZ = Va-iT {b+t} 
[00 27 J [-r-f^/Hi^SsSJfiLhWRIBLfcA 

•ft 1 . D.Chaum. E. van Heyst, "Group Signatures". Pro 
c. of EUROCRYPT'91. PP . 257-265 (1991)tCtlS$^T 

-t. 

(iffiH2T'£ ■£> ^yu-r^) iff)* w \*#IiP!li£ t fcO 

[0028] ?)v-zrm%><r>mmz\^ muz. 
xrj*tfh&. h&\^zmwt&&pL%*x>>*t 
u mftMii$fte>imzm.m>3imznLX7'/\'-7° 
m%**>m.-th. m&^vmvmtfZAsKmfs&ikft- 20 

[0029] 

imiWM&L £ o b? -SPSS] M&LfcChaum^|& 

-p. t-*>u -eoiBrii^^t. *££>ie£ 30 

[0030]— S. J. Park. . I. S. Lee, D. H. Wo 
n, "A practical group signature". Proc. of the 1995 

Japan-Korea Workshop on Information Security and 
Cryptology, IV-3. pp. 127-133 (1995) IZ&&Z tlX V> 

y^mzitm^tT » x y^mmm^^-chh 
m&^ffl^mziMt&m&jn&X'h 

i>, 40 
[0031] #%HJ!ii. ±j£<DFm*Mm-&tztb<Oi> 

zm*t:mtmmi'AT^zm&-t& z t £ awt -t, 

[0032] ifc. *^/V)$rSJDA**§4re&£^f.f 

mm-? h z t 5-ft^awt-ts . 

[0033] *— vy^**«iM&tf>flW*fclf"3£ 



[0034] 

mm-h-^&tk lx . ixrnmtfLZffiz. & . 

[0035] *fMHfc*>*»*-f -f S^*^;l«45*3«l±s ^ 

5ii2¥gh. nmb-t^m^m^^m^t^m^ 
®k£?r?hzk£ftmk-tz. 

nmcvmizttLx&3---F<Dimm*:i%iimk txm. 

v?)vwz»ttX'$>-ox, mmiznLxiL&zmm 

b LXi%mn&£ft^tzm&Zm-co)&b?&&£Mx 

f^rk. jsje^w.— rwAfflmzttLxmmsiMZfi 

t LT IgMtgSr tz&&*m-<r>'£§mb 

m®(?>m<i%3-~ m&me>3L--9 ! <tti?tiiztt 

JS-TZmiWl-cvVifflmztiLX S5-tf>-r * ^/l^ 

[0037] ^wnx.frfr&mmmi'^Mi.. ?)v 
?j^-7<o'jtmmzm^x , ^tttss** 5 

i: Sr^rr-i. f vfivm&ttzm^z, z b &nmb-t 

[0038] 

[0039] *»3lfca»*»*'7 r -r ^ 

^niEBjs(c^< t ^ t J?)\sm%,*7)v-7m%b-r 
z> t>cox'$> o , *miizfrfrhw.&&mmmwir£<<z£ 

[0040] use***, gLSctct o . 
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[0041]f-( i^A^lfcil/lsfecOSfl^tis f 
4 ^n*feltcj:.0. BMUZtuftJ*?*— 

%e>x'm.%m%>tnj£. 10 
[0042] z<?)£ i tc, m&mimmztifii*-v v 

[ o o 4 3 ] wzmemfti* &.<o x o ttm* t & . 
fl«siift*-y yf< zAi*.- *r?>* ^<tc^«row 

[0044] — 2u *ft^P-7»6JC«L.T . > 

hKtz%mmt yjvmmvm t \, vrm^x-mm 

T. -5-^)IIBBSrS^ri.C:i:K«t0tt*<iiEB^-C'S>S*> 30 
[0045] 

C: Anonymous Public Key Certificate) ^fifctOlClftBil 
U act. -e^SriEfflL^^-rS^SrlJiBB-r^. 
[0046] [ E«&6NHE9»*3$] BHtt&M0P» 

[0047] iOy^fAli, ( IHMKtftfr 40 



[0048] HltCtJW^-C. r &IM(Public Values) j 

(Public Database) j (i^^iXJt-r-^^-X, ^9) 

-^-{iMa^H^^-r. £fc, r (Specified Si g 
ner)jti s rj|^(Specif ier) j IZX 0 JL-lftfXW* 
fcatfftfc»*#fc*U r Slf£&(Verifier> j 

[0 04 9] Step 0 («<•) : isA J ?J*$M0>T-9.k. 

q=l (mod P ), Zp*teZqj&*o P fc£Wcf[rc£>S£g&tf>J6 
, — ^iW'WS'.xHRh: ZqXZ — {0. rt 

KX<7>3-—?tfT7*L*X'%. ^o^^^KK^t-^jg 

xizmiiZtix^&t><7>k-?z. ]ar^>KW(d3 

[0050] ffig&iti&Mv.i tl&S^fe.i (v_i = a 
~{-s_i) mod p)££j£U QtimZSMn?-?^--*. 

S5af«vJ-(v_j - a~{-sj) mod P )££j£U d^BMIt- 

&ffle>7 : -?'<>-Alzm3£t&. 3.-^fli«BffiPSU' 

[ 0 0 5 1 ] Step 1 (i-ifS^i:^f3) : |gS£#i 

(iaii^-r*Epioi) . s^j^ranvj^sugcri 1 : 

fcJtfvvr^U^fcfttTU z_il::*H-4g:& (Schn 
orrBf^-t^i^g^) <Hlfci*tf-#Ji<l)) . * 

(KBJ#) **45#jfi:3c^fcaa* (^lfc^-T^ 
EP102) . ^iz^h-^mtLX. mftLtzm 

[0052] IWtti «56#itt-<«»W» aiSrJ 
(rj e Zq*)»S^ JteSfciO^t^-^^sRaft;- 
S^&(yJ. ej, zj)£»fe#jfc:ia*. *4J..rJ e Z 
q**i. Zq*^ib 7 >yA{rr_j5rM^Cl i: *m. LTIV&'. 
x_j = a"{r_j> mod p 
z_j = {v_j>"{r_j} mod p 
e_j = h(xj, zj) 
y_j = r_j + e_j «s_i mod q 

[0053] Step 2 (S4W>£j&> : S« 
(yJ. ej, zJ>^#tCA*i. ite«fr«EW*. 



ej = h(a~<y_j> -{v_i)~{ej} mod p. zj) — (1) 

z_j =(a^{yj} • {v_i>~{e_j> mod p)"{-s_k> mod p 
[00 54] -eUT. ^LJtV^y-t-^mU)^ ^x(j) = {x_j}"{r(j)} mod P 

U &.<rm&ttX'm2,££.jS£tZ. oiD, S^^j e(j) = h(x(j). m(j)) 

ii. «J®<OSUa:r(j)S-Sl/(r(j> e Zq*h. <fc££if-Jl[ v(J) - r(j) + e(j). S J mod q 

XEp [0055]fU. ((yJ, ej, 



z_j), y(j), e(j). 
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•U))*W&b LX 

(3) . *£P103) . . 
[ 0 0 5 6 ] Step 3 (W*<7)5II2) 

h (iaitc*-r^wi(4)) 

e(j) = h({xj)"<y(j)}.{zj}"<e(j» mod p, m(j)) 
[0057] JJBjWiBT* fzts:t>\Z, jg<g# <i£Ig 

[0058] vxtnm&<mmmmi^zira.<r>&g. 

(l)}§^i^Wf*fj5;}l£t'l . *«>&ilft*<IiPf! 

(4) g«,S^/i ) ^S^j^i|aJsiN-i, ( ri;, tj«t^ 
E*&&£&it-r& £ i: fiEirt'&S . 

[0059] [E«^RIIiEHJ»tca^< ^;l—7*S=g,. 
fl3(i*^^^7!?^E«^giaiEBgsic^< 

(Group Signature based on APKC)£ 

m^t:~>XT-j*<7)Wt&m-c. &&mm*-y w-? (Ano 

nymous Communication Network) Sr^fLT* }§tfetf).3- — 

[0060] m^z^rrmm^t. mmztvfc*-*/}) 

[0.061] TfcBfJR-r*^ w-y. W4. E 

4&MMclE9MF(y.J. ej. z_j)i3j:tf(y_k. e _k, z_k) * 



t:S^- ^^NTSW<7>S*^(y(j). e(j). z(j))£ 

^-TW£«y_j. e_j, z_j). y(j), e(j). z(j))£i* 
S. 

[0062] .3-— **VfcL ^/P-^^^v_«ZA> 
WC, E^^^iEBJ#(y_j. e_j.z_j)^^SEL. -£*V 
A^ttSl$iXl>ffl$rffl^T(y(j). e(j), z(i))^mtt 

[0063] v±<7)Mim%i*i®£m4&m%iz vxm 
ws. mAim^<mmLmm< l zm^<^iv-ym^ 
ttzmw-f&titbnw. m5&7'}\s-7-m%,j&iizm 

[0064] Step 10 (IHfll) : K4&HMHHBS3nft 

«?5Step Otffit. 
20 [0065] Step 11 ( * y ^t,znt hmm^mf) : 
V U f- -r ZAfi . J3-— *f j £ w N'tc-T £' 

*»J£lt*U zJ{C^-r5W=S (SchnorrBf^-tJ:^ 

m&) *i&#> (muzaki-^ma) ) . x>'<uzmtm 7 

£ (E4iC^-r#Wl(2). 935402) . 

[00 66] HffcW£li. *gj£#i{± <W&7)) fLSr_j , 
, , ,<r J e Zq*> ^ SIX. ^K<t 0.*>^^^-^^>si 
S=S(yJ. ej. zJ)S:^VAjiciSS. 7." 
x_j = <*~<r_j} mod p / 
30 z_j = {v_jr(rj> mod p 
e_j = h(x_j. zj) 
y_j = r_j + e_j-s_{ZA} mod q 

[0067] Step 12 ( ^-ri^M) : * 
{±. W£(y_i. ej, z_j)£^£A*u <ta££5Hg-r 



ej = h(a"{yj> • {v_{ZA} T {e_j} nod p, z_j) - (2) 
zj =(a~{y_j} -<v_<ZA}}^{eJJ mod p)"{-sj> mod p 



[00 68] ZZT. xj = a"<yJh<v_{ZA>r{eJ> 
mod p^Ol-Jt^SOt. mMi£f£«Mkt 

(r(j) g Zq*). ij^Srltm-rS. 
x(j) = (xjr(r(j)l mod p 
e(j) = h(x(j), m(j)) 
y(j) = r(j) + e(j)'S_j mod q 
[0069] *LT. ((yj. ej, zj), y(j). e(j). 

*m*yiv-7m&tLx. tt*i&f*3k* (muz 

[0070] Step 13 ( 7il—ym%,<vm&) : lim 



mzx 



(HIS 



ttmSfrZ (miztfrt^MU) > . 
e(j) = h({xj}"{y(j)>.{z_j}"{e(j)} mod p. 
[0071] IMfimUX-ZttUi , 
^) ^ 7t-y B (j)tC*tt5i^U-y 'Jf -TZA 

[0072] [ ^-rW«<7)§B^^] ^ £ 

^•6. tztcL. n^co^JU-Tm^meJk. y_k. z_ 
k), e(k>. y(k), m). *<7M%&&* *—VV 
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[0073] srisi (mmztiti*- v>jT4iz£&ffl 

(ir_k (= DL (z_k, v_k) ) Tfc S CI . 
{0074] 3T-V 'J-f-fZA <<B$gP) SHK) 

(v.w) = DL(u. a)2rEHJ-rS^iSEB8roh3^2r 
mmLX. DL(z_k, v_k) = DL(x_k. a > £I2fiE#Vfc:# 
LTIEWS. fcrtfU x_k = a"{y_k>.v_r<e_k) nod 

[0075] •DL(z_k, v_k) = DL(xJc. a) £IE91-f& 
<l>SHB#Pli» vjc«ME*Vfc3ii*. 

(2) immm. m&bM&, b e Bosses ch = < v _ 

(3) iE^B#P«. SLRMt e Zq)&8tf, hi = ch-cTtt 
h2= {hirfrJrtfcfWU -Wife *BIE#Vfc3&* . 
(4>BK*Vtt, (a. b)&fEHB«PCC&*. 

(5) iE^B«Ptt. ch = <v_kra.a~b£i|fgU tSr|giE# 

(6) I2SE#V«. hi = <vjcra-a~{b+t) fcb.2 = IzJcPa- 
taJeT<b+t) • 
[0076] 3rfc, ±£<OToKr?;KOftbOt=:» Pl« 

[0077] umi <4M>a«cJ: SS^OSIS) : t 

[0078]* >Aj ( ffiBJ^P) (i. -e«o^;P-T^ 
tz^ix-C ^l»z_kKMJ5-r^lg®^i^^^tc 
*ttcrr SM8fc_j = DL(zJ , x_j> fctiPSr-S i k £ 

(i2II#Vt) Sk-T. -5^0. DL(vJ, a) * DL(z_k, 
x_k)$:lUT<7)rnhr7/l^t-iEBW-|). fcrtfU p. q. 
a. v_i, v_j, z_ki>±tftc_k = a~{y_k) • <v_i}"{e_k} 
mod pti, SEBB^PfcEiE^VCOW^^oTV^T. 

[0 0 7 9] Srfc. BC(r, R)HL SUSRSrA^Lfcb'y 

h rOb'y h 3 * >y > r- 'fclftf*!.*.. 

b'-yMcoivf '0' *> '1' <?>mtifrZMiRL. -f^ffl 

^■S&^fiT'&S. «£'-oT. ai&R fcT-r? 
5 -y > L*rtt£H^-t-£ |S| tZmmizttLXM? b' y 
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to. M£t2Vl. B.Damgard, "Practical and provabl 
y secure release of a secret and exchangeof a sign 
attire". Proc. of EUROCRYPT'93. pp.207-217 (1994)tC 

[0080] •DL(v_j . a ) * DL(z_k, x_k) SrffiEHJrr 
mod pZ-^mWI-Z. 

(DBHVtt. SL&e(e e Zq*>i:/3 e <o, l}£3i 

mptzmz. 

[0081 ] 

0 = '0* ^^tf (a. b) = (cTc <vj}"e) 
$ = '1' ^4»tf (a. b) = ({x_kre. {z.k>^e) 

(2) aEBB^P(i. A~<-sj) = b (mod p)?)j&4£«it2U 

= '0' fcL. g = BC(r. R)^l2IE^V(=iilS. 

(3) M^VJi. e£tiF5i#Pfc:j*£. 

(4) iEB^P{S. (a. b) = (a A e. <vj}^e)*l,^{i(a. 
20 b) = «x_k>"e. {z_Y)~e)tiif8&?Z>Zk*VmL^ £ 

/visarvv^c^jfans = stopi: U ansg-lgE^VKiilS . 

(5) l2SE*V{iv ans = stop<?5^{Srn h ajHWmZ 

-e3T^rv^-^{iBC(r. R) = gS-SS^-TS. 

(6) ±IB(l»ii> (5) S-^ffrlsISg 0 iS-r. 
[0082] 75rfc. ±IEtf)rn h n;uoftb 0 fc .' ^81 

[00 8 3] £m##gi^Lfcv^/l'-TS4£^S 
30 J^±^-^^OM^n*nfttS:Slfi^-S 
J: 3 l-igJiip-r -5- i i: izMz. . WTOJ: o t^J^p-TS .r h 

LTStfrT-* Sid OWW**S6f*& . fS-lt: 

L«rvt»^-I4. ^ffi25:llfi : -ri.SiJfP^ffiT'«>S. 

[0084] 7>l~-7tfim&£t&m'&li. 
40 7* (a, b. -fc-r^) tmtSiiT^S^-y'Jf 
*ZA_a, ZA_b. •••Srgtt. ^-yj-r.-fZA^SIW^ 
^Hv_a. v_b, ■■ fcft^tt. fiJHT'#S# 

— y u -f> ^ ZA**#^;p-r(=MiS-rsilsiJo^ra 
Hv_a, v_b, — Sr'ta-TS. J>SV^±. -5-ix4><04>^fl<j 

[0085] JSJttf>!l«B«=*svvc. v^t± 
50 4«*fet,oflHB«uii8K..«f(iar'''«-y^3^K* 
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4. ra*. ns#. sft#<7)^{ci3(t&aft 

[0 0 86] *LT. rt—V+tVz^YZa.—ftot. o% 

^X'J7*7 r-7-*<LAN)te*iVvCk. mmsmrn. 
i: (c«fc 0 . B«ftPUHE0ift(c&?< r 4 5^rt*&* 

ZbtfXZZ. 

[0087] ttz. ±MZX'te. 3r-V»J>-fZA*i. 

[0088] a±mm Ltz* o *mtmmizfrfr& 

roo89i*ft. ^mmmzfrfrhyiv-^m&K 
ssii. h^y^-Tm^izfdLx. vi»T-*zA»i, 

zmttzztifvi&X'foh, m-?x. tt—9*m x# 

< 3r&±. jfr—'y 'J x 4 ZASrfflV^TS^^Sr^T 
p £ i: t . 3f-V 'Jf< ZA*<^»(^gg L&Mt&tzm 
^m^ffo Zbi>X'^. X(7)(SMb m?n 
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amitzmm- h z b h . 
[oo9i]$ <i>c *mtmmizfrfr&?')i>-7'm2, 

o<ox\ * y^comxcomzxmzmv&t&mtf* 

[ 0 0 9 2 1 ifv!. B5^LJtPark^*y&rs yiV-zT 

m&t&ttz&nh&mmeKk* s t . 

10 ^.TJt^-r-Si:. Park^^;P-TW=S^&$^'1676 
t'7ht:^5 (k'A = 70b Ltz) MzttLX. 
izfrfrhttffyriv-ym&erxk* £tdll08t*-y hX'h 

h . tot , $ *^34%3'M-c§ . -eo^-. 

[0093] 

{3S29&rm\ wr. ^m&zfrfrhminimmvtt 
x. mmwm&bv&mmnmmz^xii. m—w^ 
20 [0094] mMLtzmummizti^xte. z_jtc:*fr 

p. q. xj, z_j£&ga&. sj$:|g?&lii: LT. ^ v-fe 
- i/'m J (C^ LT Schnorr Hf^-^g^ £ jgffl L 3^ „ itliC 

T v Schnorr8f#i7)W*TiS'5:<EBt^-<T. E. ElGamal: 
"Apublic key cryptosystem and a signature scheme 

based on discretre logarithms, IEEE Transaction on. 
Information Theory, Vol. IT-31, No. 4, pp. 469-47 

2. 1985)S-3iffl*r4. 

30 [0095] ixrx'iz. mmmmbm%h&tzvz 

[ 0 0 9 6 ] Step 12 ( ^/P-rS^^^fig) : 

ezq*). <fc^Srf^:-ri,. 
r(j) = {x_jr{kG)> mod p 

s(j) = (m(j) + sj.ra»-k(j)"{-l} mod ( P - 1) 
. [0 09 7] -f-LT. <(y_j. e_j. z_j), r(j). s(j). 
m( j) ) £ m**b LX . £S4rffi#t3g* . 
40 [0098] Step 13 < ^-rS^^Stlg) : ±I2W 

Ixjn«(j)l = {z_j»-{r(j)>.r(j)^{s{j» (modp) 

[0099] ±M&)mmxzttt>i£. (mm 
mm. * v*-Vm(i)i,zm-z>m&\t*-vv7-4Zk 

i, zm*bt>titzX >'<IZ i ~>X&s8LZtitzm*>X'*>% btfi 
[0 100] 

. [^3Hte^®] kit. *&mzfrfrhw&mmBm.<m 

50 ^fiilft^XxASrSiBj-fs. m3|IS©B®^ctiV^ 
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•c. mmmBmtwmmnmmz^Ti*. pi— ^ 

[ 0 l 0 l ] Ura t Jtflll t5 «k tf)(I2ftl£B!B(c& t >T 
lr^4JfiU. ^-/•fe-ynJt^tTSchnorrBt^-i^ti 

&mi£&b LTNIST(NationalInstitute of Standard a 
nd Technology) tUSS^iX^DSA (Digital SignatureAl 
gorthm: H*ffl]«. flWSltAH. ftfttiJK. pp.136 

[0 1 0 2] p, q, xj, 2Lj^4MIMt. s_j£M®mb 

[ 0 1 0 3 ] Step 12 ( *OP-7B4W>fl5|ft> : 

*#*Jli. «^>SI3fck(j>£aStf(k(j) 

r(j) = (fcjr<k(j» mod P ) mod q 
s(j) = k(j)^M>.(H(m(j)) - s_j.r(j» mod q 
[0104]fLT, (((y_j, ej), z_j), ((r(j), s 
(j)), m(j)))£g£fcl/t. aMKrWCi**.- 
[ 0 1 0 5 ] Step 13 ( ^U-T**<7)5iI2> : ±fSS 
£fc»ILfc«K*±«*>fc:. *(2>fcW*U 0 < r 
(j) < q, 0 < s(j) < q fcWBLfcflfc, <KO*!UI£?t 
5. 

w = (s(j»~M) mod q 
ul = H(m(j.))'W mod q 

u2 = r(j)-w mod q v •; - -.*"• . .. 

v = (<xjr{ul}.{zjr<u2} mod p) mod q 
[01 06] -?• LT v tLb^ftK^*^v = r (j) 
BU WBTSfc*£t«MHdfcti>iC^***li^ 

[0 107] 

t» mioi^fcmiRawxriiiRfcov^Tii, r-«f9 
[01083 mftLtimfrbwssmttmmtzii^xi*. 

z J tcStf h ^^filiE D ^S^SchnorrBi-f-<r)S=S Srffl V 
£fltU ^•7-fe-ym_j{C:JtLTSchnorrBt# N EBf4f£ 

S«5r®ffl-rs £ k tz&MtZ . 
[0 1 0 9] xJ = a~{rj> mod p 
zj = {vj}~{rj} mod p 

[Olio] Mtetmzte. tarnkis 0 Xhh . 

[0111] Step 11 {X>'VZtt^&W!m<Dmf) : 



1 8 



ftBWrJ e Zq*>, 

x_j = a~{r_j} mod p 

z_j = {vj}~{rj} mod p 

SJ ■» (z_j + s_i.x_j)-{r_jr<-l> mod (p - 1) 

[0112] (xj. sj. zj)£4tmmwm 

kTZ>. 

[0 1 1 3] Step 12 (7/U-7m2,C0ft&) : 

10 ~?&ZkWX£&. 

a~{zj> = <v_i}"<xJ}.{x_jr<SJ> (modp) 
z_j = {xJTI-SJ} mod p 
[0 114] 

[0115] .fflft L?tlS4||Sg®®(;*J <, vc&, zJK2* 
^S^aiEB^S<^|£{CSchnorrB&#iOS*<?)fti5 0 
20 t=EB»f-«r3TO-r*«SBfiBLfc. £*lfc*fLT, Schno 

aET# & J: 3 fc, SrJSffl-f ■& £ t izmxth . 
x_j = a"{r_j> mod p 
zj = <v_j}~{r_j} mod p 

[0 l l 6] mtoWizii. V.Tcok*>*)T$>&. 

tO 1 1 7] Step 11 (*>^lzm-hW$m<7>ffi7) : 

£SStf (r_j e Zq*) . iJcS^lwV* . 'y . ' - 
30 x_j = a~{r_j} mod p ' 
zu = {v_j}~{r_j} mod p 
SJ = {rjrH>-(H(zJ) -sj-xj) mod q 

[oi is] *l.t. (xj, sj, zj)z&mmwm 

[0119] ^raHEBJSOjESttti. ^(c«B 

"C*ft. i-T, 0 < Xj < p, 0 < SJ < q ^HBLfc" 

[ 0 1 2 0 ] Step 12 ( *0l'-'r»4W>ffcR ) : X ^/^j 
tt. ifc*^ »)4oli r&Sm3EQSftV)jES1£^IIB 
40 *tT„ 0 < xj < p, 0 < SJ < q 

w = {SJ} "{-1} mod q 
ul = H(zJ)-w mod q 
u2 = xj»w mod q 
v = a~{ul}- {vj}^<u2l mod p 
[ 0 1 2 1 ] -5- LX ; v = xj£i|12-f ^HIEBB 

zj = <xJ}~{-SJ} mod p 
[0 12 2] 



(11) 



1$gSPP9-2 985 3 7 



1 9 



2 0 



[0 1 2 3 3 4*:. #&f$l<7>@ftite. mL^^lflSJBJB 

ttLfcEWW**. S'XxAJ&&v>U36Bfc:«ffrU * 
WyXfAibSi^iii^nytA- ^ (4fcW:CPi«>M 
PU) j^*^«c(c|«rtSiifcroj/9A3-H«rKfflU 

=5rv\ K««*»»6«ajS*ifcrcr^5A=i 
- F g flctfmFiB Lfcl8fe»matttt&SgfH-* z b IZ% 

-h'f^7, *f<x;, 3fc$£vr-f CD-ROM, 
CD-R. KSvf- 7*. ^RWfttt^qeu^-H; RON* if 

3 - F fcHfrT* Z t tc J: 0 . B?M LfcggtiHBatSIK 20 

3i$iT.&i§£-t>-£-4*U>rj:{iS-5 4Tfc«rt\. 
[0125] $ -fete. EiWIft^ftBBttS^T'D^^ 

, *<^>flwtaaB* - F*«tt8SR f 30 
[0126] **iH*±eE««fl*auwr*«^, -e 

*ra^A3-F£«*W-&£i:fc:«r*#. ffi*Cft 



W*-* fc . 06A*i J:tf6BC9;>< -y TffltCjjrf 

&<fct> r iiy£j riiigj ijj:t/ rgg^j co^-tv'i- 

j£j rji^j rgfs-oS££j£j i5«fctf rgg^j ^g.^. 
^-/K^a^As- FfcE«8»fc»*!r**ittf J: 
v\ 

[0127] 

new* £fc 

[0 1 293 4fc. *-y •/ 7^ jWHM>HK*£ff 3 £ 
[EriBOflMt&SH!] 

[01 3 *fffiC^44M«»i^ti6fflL«:E«4StBH 

[02 ] ^SiliEH^(=;B3^--S«ia<05£h.cof|^^^-r 

[03 ] *Xffi{z^«E4d»RMIEim=^< yiV . 

[04 ] S«&fMHFS*feX^< ^P-rW=S^Sr • 

[05] ^-rW^*^c:m-SKMc7)Mn^<SlgS: 
tjt?"? O— f-v— FT\ 

[06 A] ;«HJJfc:0»a»* r 5 A 3- F fctt** Lit . 
§21t&te?)* « U "7 -y 7W&3^*-BL 

[06 B 3 ^WHfcfrfrirn^As-FfctSlftLfc 
EH***)* t'J77 T0«£*rr 0T£> £ . 
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= a Vi • vi* mod p 

eO*)=h(xj»<i> -zj«(i> mod p,m(j)> 



[05] 
( START ") 
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P,q,a,v ZA .h(,) 




xj = a" ■ V2a* mod p 

e(j)= h(xi»o> • 3i«i> mod p. m(j» 



(WP AT) 

II - Digital signature method for information communication - using 
specifier and signer to provide digital signature which accompanies 
message sent from signer to verifier 

PN -EP-804003 A2 97.10.29* 

PN -JP09298537 A 97.11.18 

PN -JP09298536A 97.11.18 

JPNA- J09298537 

JPNA- J09298536 

PA - (CANO ) CANON KK 

IC1 -H04L-009/32 

AB - EP-804003 A 

The digital signature method involves generating public information 
based on a common public parameter and an uncommon secret 
parameter. The common public parameter and the public information 
are converted for use in obtaining a signature for a message. 

The signature is generated based on a common public parameter 
and the uncommon secret parameter. The relationship between the 
signature and the message is confirmed based on the converted 
public information and the converted common public parameter. 

ADVANTAGE - Does not require special authority to open 
signature. (Dwg.2/12) 
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